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action, a register of the microprocessor of the chip card 
stores a specific code for checking the authorized nature of 
the operations performed by the new software component or 
hardware action for accessing the memory of the chip card, 

38 Claims, 1 Drawing Sheet 



100 



250 



cs 



230 



MEM. 
CTRL 



220 



Applf 



Appli 



Appli 
Appli 




CERTIFICATE OF CORRECTION (continued) 



Page 3 of 6 



US 6,776; 

SECUKED ACCESS DEVICE WITH CHIP 
CARD APPLICATIONS 



FIELD OF TEJE INVENITON 3 

The present invention relates to a secured access device 
for chip card applications. More specifically, the invention 
relates to a device for secured access to chip card applica- 
tions that uses instructions that have been perfonned in the 
chip card which, at each instant, provide information on 
rights for accessing the memory of the chip card, the soft- 
ware component, or the hardware operation that has been 
performed in the chip card. 

BACKGROUND OF THE INVENTION ^ ^ 

The most common type of chip card has a microprocessor 
that manages a program memory. The program memory is . 
usually dedicated to a single application or a set of applica- 
tions loaded at the same time into the chip card. When sev- 20 
eral appUcations are loadecj into a chip card, they have a 
close relationship with one another, and are all designed for 
the same type of service- Thus, for example, a chip card 
cannot simultaneously play the role of a baiik card and that 
0 f a customer card for another type 0 f business . 25 

In order to end this situation where each chip card has to 
be limited to one type of application, new software architec- 
tures are being considered. These new software architectures 
are making use of the development of standardized program- 
ming languages which resolve the problems of portability, ^° 
such as the programming language JAVA, for example, 

FIG, 1 is a simiplified view of a software architecture of 
the chip cards that are now being developed. The architec- 
ture shown in FIG. 1 includes, in particular, a first part 110 
that corresponds to the software architecture and a second 
part 120 that corresponds to the applications part of the soft- 
ware architecture for the chip card 100. The system part 110 
is essentially formed by a library of programs 112 for the 
operating system of the chip card, an interface 114 to man- 
age the interactions with the microprocessor or the different 
memories of the chip card, and a space for the management 
of hardware interruptions 116. 

Tbe applications part 120 of the software architecture . 
includes diffCTcnt applications, such as a first, second and 45 
third main application, respectively 1.22, 124 and 126, and a 
first, second and third additional application, respectively 
121, 123 and 125. The main applications 122, 124 and 126 
are written in a programming language that can be directly 
understood by the processor of the chip card. 5^ 

The additional applications 121, 123 and 125 are typically 
applications encoded in a standardized language. These 
applications may be added at any point in time to the system 
part 110, In FIG. 1, the additional applications 121, 123 and 
125 dq)end directly on the first main application 122. The 55 
first main application 122 herein serves as an interpreter 
between the additional appHcations and the operating system 
by converting the codes of the additional applications into a 
machine langiiage that can be understood by the programs of 
the operating system 112. 50 

The software architecture that has just been described is 
more complex than the one currently existing in chip cards 
in circidation. The architecture described assumes that it is 
possible to add applications in a standardized programming 
language, possibly after the chip card is put into circulation. «5 
It is therefore more complicated to achieve a satisfactory 
level of security compared to when a single application or a 
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group of applications dedicated to a single chip card func- 
tion are the only applications to be loaded into the chip card. 
The chip card was then permanently limited in terms of 
available applications. The risk that a new application might 
disturb the operation of previous applications was therefore 
not as great. 

The coexistence of applications of different kinds in the 
same chip card may raise a certain number of problems. For 
example, a software architecture simultaneously containing 
an application dedicated to the assessment of a customer's 
access to a gasoline company and a standard banking appli- 
cation must ensure tliat a secret key used in the banking 
application cannot be read during the use of the apphcation 
associated with the gasoline company. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to overcome the 
problems that have just been described. 

A device is provided that enables the management of dif- 
ferent software applications that are installed, possibly at 
different times, or the managemait of different hardware 
events of a chip card while providing high security. Thus, the 
device according to the invention offers the possibihty of 
detection when the user of an application tries to exceed his 
rights, for example, by attempting to access data not 
intended for the application in question. 

To achieve this objective, the device sets up specific 
instructions internal to the microprocessor of the chip card. 
These specific instructions are call instructions and return 
instmctions. These call and return instructions are associated 
with specific registers for determining whether the opera- 
tions performed by the application are authorized. 

The invention therefore pertains to a device for accessing 
applications of a chip card comprising a microprocessor 
associated with an operating system working with a set of 
instructions, a program memory, and one or more applica- 
tions in a memory of the chip card. 

The device comprises a register of the microprocessor to 
store a code on several check bits proper to an entity brought 
into play. Also included are a call instmction, and an instruc- 
tion for the return of the set of instructions to instantaneously 
and automatically update the register during the action by a 
•new entity. The device fiuther includes a checking device for 
checking, as a fimction of the check bits, whether access to 
the zones or address location of the memory of the chip card 
by the new entity that is called or comes into action in the 
chip card is authorized. A first link transmits the check bits 
from the microprocessor to the checking device. 

According to a particular embodiment of the device of the 
invention, each new entity being e^cecuted is activated at a 
predefined address of a read only memory (ROM) of the 
chip card. According to difierent embodiments of the 
invention, the entity operating in the chip card may be an 
application of the one or more applications or a hardware 
event, or the operating system associated with the micropro- 
cessor of the chip card. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The various aspects and advantages of the invention shall 
appear more clearly hereinafter in the following description 
made with reference to the appended figures which are given 
purely by way of an indication and in no way restrict the 
scope of the invention, and which are now introduced: 

FIG. 1 is a simplified blodc diagram of a software archi- 
techirc for the chip cards currently being developed accord- 
ing to the prior art; and 
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FIG. 2 is a block diagram illustrating the principle of 
operation for the execution of an application within a chip 
card according to the present invention. A microprocessor' 
200 manages the set of operations for a plurality of applica- 
tions 210 of the chip card 100. s 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

A two-way bus 250 exchanges information between the 
microprocessor 200 and any application of the plurality of 
applications 210-212. The information exchanged may be 
data elements, addresses or control instmctions. An access 
controller to the memory 220 exchanges information with 
the microprocessor 200 using a link 230, which conveys a 
control signal between the microprocessor 200 and the con- 
troller providing access to (he memory 220. 1 5 

When an entity such as the application 211, for example, 
requires the intervention of another entity, such as an appU- 
cation 2 12. it sends a call instmction DCALL using the two- 
way bus 250 followed by a designation of the entity called 
and a parameter enabling the nature of the call to be deter- 20 
mined. According to the invention, a register R is updated 
during such calls. A certain number of bits of the register R 
then assume a value associated with the called entity. The 
regista R is therefore a hardware component of the micro- 
processor 200 used to store a code proper to the entity of the ^5 
software architecture that is being performed, and to control 
its field of execution. 

Furthermore, the device according to the invention may 
also take into account instructions known as hardware 
instructions, such as resetting type instructions, for example. 
Instructions kno^^^n as hardware mstructions are events that 
may occur in real time and generate interruptions in the 
microprocessor of the chip card. This type of event is man- 
aged by the device in the same way as the software instruc- 
tions. The bits of the register R take a very precise value 
appropriate to each real-time event affecting the chip card, 
thus limiting and controlling the rights pertaining to these 
events. 

The information given by the register R is thus capable of 
checking information on the identification of the zone of the 
software architecture concerned by the application being 
executed. This information is checked at the microprocessor 
or at any other entity external to the software architecture. 

The information given by the register R enables the 
checking of the zone of the memory of the chip card in 4^ 
which the application is permitted to be accessed. Thus, any 
user attempting to make fi^udulent use of the operating sys- 
tem in order to recover data pertaining to a particular appli- 
cation is refused access to this data. The bits of the state 
register in this case are different fi-om the bits that might 50 
correspond to a call instruction DCALL of the particular 
application in question. 

The addresses to be accessed and the bits of the register R 
sent by the microprocessor via link 230 are compared with 
each other in the access controller of the memory 220. If the ss 
addresses of the memory to be accessed are not addresses 
belonging to the authorized field of the last application hav- 
ing performed a call instruction DCALL, then information 
on illegal access to the memory is prohibited. 

The device according to the invention thus provides great 60 
security in tlie sense that data elements intended for one 
application cannot be used by another application. A second 
register CS makes it possible to retain in memory a code 
proper to the applications that were active at the last call 
instruction DCALL sent by the current application, namely 65 
those that are to be performed following the current appUca- 
tion. 



When the current application has completed execution, a 
return instmction DRET is executed by the microprocessor 
and the data elements contained n the second register CS 
enable a return to the application that was being performed 
previously and had been activated by a call instruction 
DCALL. The register R is also updated. 

The second register CS caimot be direcUy accessed by the 
applications of the chip card. This is to ensure the integrity 
of the device when it is put into operation during the execu- 
tion of a rehun instmction DRET. When the execution of the 
current application is finished, the bits of the register R 
assume a value specific to the application that was being 
performed previously, restoring its rights and limits in terms 
of memory access. The memory zone access device accord- 
ing to the invention gives a high level of security in terms of 
access to the different zones of the memory for a software 
architecture such as the one shown in FIG. 1. 

What is claimed is: 

1. A chip card comprising: 

a microprocessor including an operating system working 
with a set of instructions, said microprocessor compris- 
ing a first register for storing a multibit identification 
code identifying an entity to be executed, the set of 
instructions including a call instruction for calling 
based upon the multibit identification code a new entity 
to be executed, and for updating said first register dur- 
ing execution of the new entity by storing therein a first 
label associated with the entity being executed; 

a memory connected to said microprocessor for storing a 
plurality of application programs; 

a first Unk connected to said microprocessor for transmit- 
ting the multibit identification code; and 

a checking device connected to said first link for receiving 
the multibit identification code, and for checking 
whether access to locations in said memory is autho- 
rized for the new entity by comparing the first label 
with a second label, the second label being associated 
with the plurality of application programs in said 
memory or with the locations in said memory, and the 
second label also being used for initiating reading of 
one of said plurality of application programs therein. 

2. A chip card according to claim 1, wherein the set of 
instmctions further includes a return instruction; and 
wherein said microprocessor comprises a second register 
and loads the multibit identification code from said first reg- 
ister to said second register when the call instruction is 
executed, and at a same time the return instruction causes the 
contents of said second register to be loaded into said first 
register. 

3. A chip card according to claim 2, wherein said second 
register cannot be diiecUy accessed. 

4. A chip card according to claim 1, wherein the new 
entity to be executed is one of the plurality of application 
programs. 

5. A chip card according to claim 1, wherein the new 
entity to be executed causes a hardware event. 

6. A chip card accorcUng to claim 5,* wherein the hardware 
event resets said microprocessor. 

7. A chip card according to claim 1, wherein the set of 
instructions further includes a return instruction; and 
wherein said first register is updated in response to the return 
instruction. 

8. A chip card according to claim 1, wherein said checking 
device provides a control signal to said microprocessor for 
providing access to the locations in said memory if the new 
entity to be executed is authorized. 
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9. A chip card according to claim 1, wherein the plurality 
of application programs are written in a standardized lan- 
guage. 

10. A chip card comprising: 

a miaoprocessor including an operating system working 3 
with a set of instructions including a call instruction 
and a return instruction, said microprocessor compris- 
ing 

a first register for storing a multibit identification code 
identifying an application program entity to be 
executed, the call instruction for calling based upon 
the multibit identification code a new application 
program to be executed, and for updating said first 
register during execution of the new application pro- 
gram by storing therein a first label associated with 
the application program being executed, and 
a second register for loading the multibit identification 
code fcom said first register to said second register 
when the call instruction is executed, and at a same 
time the return instruction causes the contents of said 
second register to be loaded into said first register; ^ 
a memory connected to said miaoprocessor for storing a 

plurality of application programs; and 
a checking device connected to said microprocessor for 
receiving the multibit identification code, and for ^5 
checking whether access to locations in said memory is 
authorized for the new application program by compar- 
ing the first label with a second label, the second label 
being associated with the plurality of application pro- 
grams in said memory or with the locations in said 
memory, and the second label also being used for initi- 
ating reading of one of said plurality of appUcation pro- 
grams therein. 

11. A chip card according to claim 10, wherein said sec- 
ond register cannot be directly accessed. ^ ^ 

12. A chip card according to claim 10, wherein each appli- 
cation program causes a hardwareevent. 

13. A chip card according to claim 12, wherein the hard- 
ware event resets said microprocessor. 

14. A chip card according to claim 10, wherein said first 
register is automatically updated in response to the return 
instruction. 

15. A chip card according to claim 10, wherein said 
checking device provides a control signal to said micropro- 
cessor for providing access to the locations in said memory 
if the new application program to be executed is authorized. 

16. A method for securing access to a chip card compris- 
ing a microprocessor including an operating system working 
with a set of instructions including a call instruction, and a 
memory connected to the microprocessor for storing a plu- 
rality of application programs, the method comprising: 

storing a multibit identification code in a first register 
identifying an entity to be executed; 

calling a new entity to be executed based upon the multibit 
identification code stored in the first register, 55 

updating the first register during execution of the new 
entity by storing therein a first label associated with the 
entity being executed; and 

transmitting the multibit identification code firom the 
microprocessor to a checking device, and checking 60 
whether access to locations in the memory is authorized 
for the new entity by comparing the first label with a 
second label, the second label being associated with the 
pliuality of application programs in the memory or with 
the locations in the memory, and the second label also 65 
being used for reading one of the plurality of applica- 
tion programs therein. 



17. A method according to claim 16, wherein the set of 
instructions further includes a return instruction; and 
wherein the microprocessor comprises a second register and 
loads the multibit identification code fi-om the first roister to 
the second register when the call instniction is executed, and 
at a same time the return instruction causes the contents of 
the second register to be loaded into the first register. 

18. A method according to claim 17, wherein the second 
register cannot be directly accessed. 

19. A method according to claim 16, wherein the new 
entity to be executed is one of the plurality of application 
programs. 

20. A method according to claim 16, wherein the new 
entity to be executed causes a hardware event. 

21. A method accordiug to claim 20, wherein the hard- 
ware event resets the miaoprocessor. 

22. A method according to claim 16, wherein the set of 
instructions further includes a return instruction; and 
wherein the first register is updated in response to the return 
instruction. 

23. A method according to claim 16, wherein the checking 
comprises providing a control signal to the microprocessor 
for providing access to the locations in the memory if the 
new entity to be executed is authorized. 

24. A method according to claim 16, wherein the plurality 
of application programs are written in a standardized lan- 
guage. 

25. A method for securing access to a chip card compris- 
ing a microprocessor and a memory connected thereto for 
storing a plurality of application programs, the microproces- 
sor including an operating system working with a set of 
instructions including a call instruction and a return 
instmction, the method comprising: 

storing a multibit identification code in a fint register for 
identifying an application program to be executed; 

calling a new application program to be executed based 
yjpon the multibit identification code; 

updating the first register during execution of the new 
application program by storing therein a first label asso- 
ciated with the application program being executed; 

loading the multibit identification code fi*om the first reg- 
ister to a second register when the call instruction is 
executed, and at a same time the return iustruction 
causes the contents of the second register to be loaded 
into the first register; and 

transmitting the paultibit identification code fi'om the 
microprocessor to a checking device for checking 
whether access to locations in the memory is authorized 
for the new application program by comparing the first 
label with a second label, the second label being associ- 
ated with the plurahty of application programs in the 
memory or with the locations in the memory, and the 
second label also being used for initiating reading of 
one of the plurality of application programs therein, 

26. A method according to claim 25, wherein the second 
roister cannot be directly accessed 

27. A method according to claim 25, wherein each appU- 
cation program causes a hardware event. 

28. A method according to claim 27, wherein the hard- 
ware event resets the microprocessor. 

29. A method according to claim 25, wherein the first 
register is updated in response to the return instruction. 

30. A method according to claim 25, wherein cheddng 
comprises providing a control signal to the microprocessor 
for providing access to the locations of the memory if the 
new appUcation program is authorized. 
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31 . A chip card comprising : 
a microprocessor; 

a memory connected to said microprocessor for storing a 
plurality of application programs; 

said microprocessor comprising a first register for storing 
a first code» on at least one check bit, corresponding to a 
first application program to be executed fi"om said plu- 
rality of application programs; 

if execution of said first application program requires 
intervention of a second application program firom said 
plurality of application programs, then said first appli- 
cation program sends a call instruction to said micro- 
processor requesting such intervention; 

said first register being updated based upon the call 
instruction for storing a second code, on the at least one 
check bit, corresponding to said second application 
program to be executed; and 

a checking device connected to said taiaoprocessor for 
cheddng the second code as to whether access to loca- 
tions in said memory are authorized for said second 
application program. 

32. A chip card according to claim 31, wherein said 
microprocessor comprises a second register for storing the 
fint code corresponding to said first application program 
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while said second application program is being executed; 
said first regista also being updated based upon the first 
code. 

33. A chip card according to claim 32, wherein after said 
5 microprocessor executes said second application program, 

said first register enables said microprocessor to return to 
said first application program. 

34. A chip card according to claim 32, wherein said sec- 
ond register cannot be directly accessed. 

35. A chip card according to claim 31, wherein said fint 
and second application prograins are written in a standard- 
ized language. 

36. A chip card according to claim 35, wherein said first 
and second application programs are loaded into said 
memory afi:er the chip card has been fabricated. 

37. A chip card according to claini 31, wherein said 
checking device provides a control signal to said micropro- 
cessor for providing access to the locations of said memory 
if said second application program is authorized. 

38. A chip card according to claim 31 , wherein said 
2^ checking device compares the address locations to be 

accessed in said memory with the second code in said first 
register. 

* ♦ * * * 



